Permission 'administer nodes' not properly handled

Your "editors" role is not the one generated by FA for moderators, is it? That one has all four checkboxes grayed out, and you should never do anything with it yourself.

Otherwise, Post should not be grayed out. Without it, node administrators are not supposed to be able to post nodes or comments in that forum. They should always have View, See, Edit and Delete, though, and those cannot be withheld.

There have been some recent bug fixes in this area. Please update to 6.x-1.x-dev and let us know what you find.

if I point the user directly to the "add topic" URL "node/add/forum/16"

This trick should not work anymore, if the user doesn't have the Post grant.

Re. your pgsql issues with DNA: please report them in the Devel queue. If no one reports them, they'll never get fixed...

Yes, FA's moderator role is called Forum Moderator by default.

Please update your DNA and follow the procedure that was described when you posted this issue.

The node access system deals only with nodes, and so does DNA.

Your "editor user" having all zeroes is odd. It should have all 1s. Please try making some node access change in this forum, saving it, and then reverting the change and saving again. Does this help?

Could it be that you've added the "administer nodes" permission to the "editor user" role only after saving your forum's settings?

While the all-zeroes is bad, it doesn't explain

users in that role can't view, see or post in any "editor-private" forum

Please copy/paste the second line of your forum_access.module file.

Thanks for the additional details, I see the problem now.

I still don't understand the zeroes, though, but they don't seem to matter, as you point out.

Sorry for taking so long to look into this.

A little update (maybe due the moving from 6.x-1.3 to 6.x-1.x-dev): only using direct URLs (e.g. "/node/60", "node/add/forum/16"), users with "editor user" role can now read, edit and post topics (but with DNA still reporting the 0s). But the containers and topic lists are still not shown (access denied error if direct URLs are used).

Indeed, this seems to be mostly working now:

1. Users with 'administer nodes' don't need any 1s, because the node access system automatically gives them full access to all nodes (unless we do something weird, which we did in 6.x-1.3).
2. AFAICS these users do get the expected 111 access.
3. What do you mean with "only using direct URLs"? I'm seeing the expected links and can click on them just fine.
4. The one problem that I see is that View is checked and disabled, but the 'administrator nodes' user sees only some of the forums on the /forum page. I have yet to find out what the difference is between those that he sees and the others.

Are you seeing the same thing?

@Kafu: Thank you for your follow-up. If I understand you correctly, everything works fine for you now, right?

I'm mostly away from Internet access for a week, but I'll investigate my item 4 and will post what I find.

Now I see what is happening. We are currently inserting 111 records even for roles that have the 'administer nodes' permission. This is really unnecessary, except for the forums page where grant_view is checked to decide whether to display a forum/container or not. I had some of these 111 records missing on my test site, probably as a result of some development work.

Resetting the permissions solved this inconsistency and my node administrator can now see all forums. Resetting the permissions turned out to be a bit of a pain because we've optimized away the permissions processing if we find that the user hasn't changed anything. While this should never be necessary, I still added an option to disable the optimization and force an update, without having to make and undo a change. Committed to the -dev version.

This checking of grant_view on the forums page is a left-over from when we tried to hide forum topics from the node administrator. Due to feedback from sun we gave this up a while ago. AFAICS this is the only place where we use those 111 records, and it doesn't make sense to burden the {node_access} table with them for no reason. Moreover, if you remove 'administer nodes' from the role, the 111 would stay behind and you'd have to manually clear the three checkboxes for each forum to get it out of the system.

So I have done quite a bit of refactoring with the following goals:

• there shall be no new 111 records created for roles with the 'administer nodes' permission
• update 6104 shall remove existing 111 records for roles with the 'administer nodes' permission
• node administrators shall be able to view all forums and view all forum nodes
• node administrators shall be able to post only in those forums to which they have Post access (which needs to be granted specifically); this means they get a reduced forum list when creating a new node
• node administrators by definition can edit all nodes, including nodes in forums to which they have no access; this means they need the full forum list when they edit an existing node

Obviously, a node administrator could post a forum topic in another forum and then move it to one where he has no posting rights. This mechanism is not intended to be secure (we don't give 'administer nodes' to anyone we don't trust!), but as a help to remind node administrators if they should not post in a given forum.

I've done a fair amount of refactoring and testing and committed the result to the -dev version (give it up to 12h to be repackaged). Please test this and let us know how it works!

I think my case is related to this:
I've got a role called "Full Admin" wich basically has all permissions (including 'administer nodes' and 'administer comments').
As a result, this role has grayed out yet checked edit- and delete-boxes for every forum. I however am unable to check the 'view'-permission for this role because "it also has administer forums-access" (it keeps disappearing when i save). (so because they have the 'administer forums'-permission, you are denying them to view and administer the forum?)

Full Admin's can view and post on all forums (if they have the post permission there) as well as edit the topic and comments. They however only get to see the delete-link on comments if they have an additional role (one without admin-permissions) that also has the delete-permission for that forum, but comment/delete/% doesn't give a permission denied error. So it seems that "Admin"-roles don't supply you with the rights to see the delete-link.

Full Admin's are also unable to edit forums at admin/content/forums for wich they don't have a role with the 'view'-permission. But because I can't assign the 'view'-permission to Full Admin's, I'd have to create another role that does have this permission and give every Full Admin this role too...

When I look at DNA, I get a surprising result: the role Full Admin is simply not listed on any topic.

The issue seems to happen at least since your 14/jul -dev-version.

Note: This hasn't got anything to do with my patches for those Edit-permissions, as I have also tested it with the unpatched versions.

PS I know you are working on remaking some stuff, but this is just to let you know of another symptom.

@Kafu: Thank you for testing and feedback!

@DruKaz: The July 29 -dev version fixes the disappearing View permission. Roles with the 'administer nodes' permission don't get any DNA entries because they have full access without them. This is intentional.

We'll have to deal with the delete comment links as part of the comment links task.

I found that the missing 'delete comment' link for users with the 'administer comments' permission was an issue of its own after all.

This is now fixed in the -dev version (give it up to 12h to be repackaged).

I believe this was the last open end in this thread.